Companies around the world are scrambling to set up remote work stations for employees, due to the growing coronavirus threat. Maintaining safe cybersecurity practices is essential, but a step easily overlooked in the frantic rush to get everything set up. Cybersecurity experts weigh in with advice on the best way to allow employees to work from home and still make sure your company’s data is protected.
If your company has already established a remote work system for all employees, you’re likely to have malware protection in place. However, if you have any staffers who are newly transitioning, it’s critical to ensure tight cybersecurity.
What the experts say about cybersecurity
“The spread of Coronavirus (COVID–19) is accelerating the pace at which many organizations are being pushed to embrace remote work,” said Gerald Beuchelt, chief information security officer of LogMeIn, which is currently not requiring employees to travel for work. “It’s important to ensure your teams are prepared for events that carry a high risk of operational interruptions by maintaining a business continuity plan.”
Beuchelt added, “Remote work enablement requires upfront coordination between IT, Security, HR, and Business Operations to ensure a successful program. Relying on security training and awareness programs to drive ‘cyber smart’ behavior not only at work but also at home (modern firewalls/routers, using strong passwords, patching, etc.) will also go a long way in keeping employees and your organization secure. These basics are most effective against fending off viruses and other malware.”
SEE: Coronavirus having major effect on tech industry beyond supply chain delays (free PDF) (TechRepublic)
Make thoughtful decisions
It’s important not to be hasty in making a large-scale transition to a home workforce, no matter how urgent concerns are, said Alex Willis, vice president of global sales engineering at BlackBerry, despite the fact that the coronavirus is sending employees to, “work from home in large numbers with very little time for IT to properly evaluate a solution. This results in either throwing money at expanding legacy VPN/VDI solutions that cost a lot, and are not user friendly to deploy, or deploying a quick solution too rapidly without ensuring proper security is in place.
“That’s why it’s critical to explore modern methods of remote mobile workforce enablement that provides great user experience, includes next-generation AI-driven security and allows the mobile worker to access any data or application required to be productive,” Willis said.
It can be easy to forget the basics. “From a security perspective,” said Javvad Malik, security awareness advocate for KnowBe4, “the first things a company should look into are whether there is enough capacity for employees to work from home at the same time. It is also important to ensure the right policies and tools are put in place to enable employees to work remotely. Not having the right tools in place can lead to employees using unapproved or insecure apps, tools, or methods to try and get their job done. Most of all, expectations should be set as to how the organization expects its employees to operate under remote conditions and how to raise any issues.”
Mobile threat potential
A Veritas Technologies spokesperson warned, “many employees are habitual in the way they store data, saving to local drives on laptops or to the public cloud when working remotely. If large percentages of employees shift towards remote work over time, it could create a pool of unstructured data that would become invisible to the business–causing a new wave of data protection and compliance concerns.” Given how quickly the coronavirus has spread, corporations may not have had time to implement necessary protocols. “It is a good idea for companies to set a baseline of security expectations for devices that access corporate data,” said David Richardson, vice-president, product management at Lookout, a mobile defense app. He offered the following considerations:
- Should non-corporate issued devices be allowed to access corporate data? Or only company-issued devices?
- What operating systems should be allowed to access corporate data? What minimum versions?
- What minimum security controls should be in place (e.g. passcode is set, encryption is enabled, device is free from malware)?
Tools, such as Mobile Device Management (for corporate-issued devices) and Mobile Threat Defense (appropriate for any device), can be used to get visibility and enforce policies.
Corporate preparedness includes
- Disaster recovery capabilities for systems that may become unavailable (due to loss of utilities, etc.)
- A business continuity framework (in support of SOC2 and ISO requirements)
- Ensuring all assets are up to date on patches
- Employees participate regularly in security awareness training
- Endpoint technologies such as EDR, or advanced antivirus monitor devices work outside traditional network perimeters
- Building contingency data management plans for systems cables to be accessed remotely
- Analyzing data protection strategies to identify gaps when employees choose the location of where they save data
Transitioning employees need
- Adequate access to critical resources through SaaS services
- Readily available remote support for field workers
- A security architecture that operates in hybrid operations environments
- Only secure, encrypted laptop computers and mobile phones available so devices are not compromised when used outside of offices
- The use of secure remote user VPN connections to protect connections to critical infrastructure and applications (the very minimum requirement for companies, said Dave Farrow, senior director, information security at Barracuda Networks.)
- In addition to VPN, MFA to “help add layers of security to working remotely,” said Jonathan Tanner, senior security researcher at Barracuda.
- “To continue to be educated and trained about phishing,” said Imperva’s CTO Kunal Anand. They need to “follow best practices,” which includes code scanning, code reviews, etc.
“Companies that have not transitioned to a remote-enabled, open network security architecture for at least some staff, this will likely be a fairly significant challenge,” Beuchelt said.
Implement these security measures
Two-factor authentication is critical for a remote group, said Justin Cappos, an associate professor at NYU Tandon School of Engineering. “It’s easier for an attacker to appear to be a remote employee, than a person sitting next to you in an office. So two-factor authentication is much more critical. I would definitely recommend using actual hardware tokens instead of SMS for this purpose.”
Some experts insist on remote workers using only company-issued devices to ensure the safest security measures in addition to two-factor sign-in. “Enforce a strong patch policy on corporate endpoints and educate employees on patching their home networking devices,” said Richard Mellick, senior technical product manager at Automox. “The easiest point of entry for a hacker is an unpatched vulnerability on any connected device.”
If an employee must use a personal device, “to access sensitive data,” Mellick said, “do not download documents or sensitive resources to your device. View and edit in the browser if possible.”
OpenText CEO and CTO Mark Barrenechea suggested companies “learn new ways to work, via the internet. Phone calls, virtual meetings, collaboration software, design tools, shared work spaces, and communication vehicles—well beyond email—are all available in the cloud and secure. It is about creating a sense of community, team work, and productivity. The right tools, like single sign-on (SSO), two-factor authentication (2FA), and Virtual Private Networks (VPNs) can provide the same level of security as if on a corporate network.
Critical information to impart on employees, from Darren Guccione, Keeper CEO and co-founder:
- When working from a public locale like a coffee shop, avoid using free Wi-Fi. Instead, use a personal hotspot, which is much more secure, and be sure to disable mobile Wi-Fi and Bluetooth when not in use to prevent connecting to unknown networks or peer-to-peer devices.
- For remote access to your work computer, use a VPN. A Virtual Private Network connection is essential for maintaining full end-to-end encryption when connecting to a remote computer.
- Enforce the usage of Two-Factor Authentication (2FA) on all websites, applications and systems, whenever possible, for an extra layer of security.
- Never reuse a password. Cybercriminals keep dictionary lists of the most commonly used passwords. They also know that if they are successful in breaching a single account, they will often be able to access multiple accounts for the same person due to the high frequency of password reuse.
- Train and educate employees about protecting company information. It’s important to set an example from the top and train employees on the importance of strong cyber hygiene early and often.
The enterprise will be reliant on “collaboration and conferencing technologies from providers such as Zoom, Cisco WebEx Teams, Microsoft Teams, and Slack,” said Robert Cruz, vice president of information governance at Smarsh. Using these popular technologies are beneficial, Cruz said, as it “reduces the number of in-person meetings, improved access to information, as well as a decreased use of email.”
Cruz notes that with companies like Twitter and Salesforce advising employees to work from home, it has created “a spike in demand for conferencing technologies,” now considered very acceptable alternatives “to the risks of maintaining physical office presence and air travel during this crisis. The likely short-term impact is that the growing mass market adoption of these technologies will drive an even more rigorous due diligence process to win over the more risk averse and conservative firms. A few collaboration and conferencing technology providers will stand above the rest in providing sufficient data privacy and security controls to satisfy broader market adoption fueled by the coronavirus situation.”
While working remotely, companies need to conduct “regular audits and a suite of tools that are now available to help manage passwords and cloud access should be deployed as well,” said Frank Speiser, CEO of Talla.